b'Audit Report\n\n\n\n\nOIG-09-020\nManagement Letter for Fiscal Year 2008\nAudit of the Office of Thrift Supervision\xe2\x80\x99s Financial Statements\n\nDecember 18, 2008\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE O F\nINSPECTOR GE NER AL\n\n\n\n\n                                             December 18, 2008\n\n\n             MEMORANDUM FOR JOHN M. REICH, DIRECTOR\n                            OFFICE OF THRIFT SUPERVISION\n\n             FROM:                 Michael Fitzgerald /s/\n                                   Director, Financial Audits\n\n             SUBJECT:              Management Letter for Fiscal Year 2008\n                                   Audit of the Office of Thrift Supervision\xe2\x80\x99s\n                                   Financial Statements\n\n\n             I am pleased to transmit the attached management letter in connection with the\n             audit of the Office of Thrift Supervision\xe2\x80\x99s (OTS) Fiscal Year (FY) 2008 financial\n             statements. Under a contract monitored by the Office of Inspector General, Lani Eko\n             & Company, CPAs, PLLC (Lani Eko), an independent certified public accounting firm,\n             performed an audit of the financial statements of OTS as of September 30, 2008,\n             and for the year then ended. The contract required that the audit be performed in\n             accordance with generally accepted government auditing standards; applicable\n             provisions of Office of Management and Budget Bulletin No. 07-04, Audit\n             Requirements for Federal Financial Statements; and the GAO/PCIE Financial Audit\n             Manual.\n\n             As part of its audit, Lani Eko issued and is responsible for the accompanying\n             management letter that discusses certain matters involving internal control and its\n             operation that were identified during the audit but were not required to be included\n             in the auditor\xe2\x80\x99s reports.\n\n             In connection with the contract, we reviewed Lani Eko\xe2\x80\x99s letter and related\n             documentation and inquired of its representatives. Our review disclosed no instances\n             where Lani Eko did not comply, in all material respects, with generally accepted\n             government auditing standards.\n\n             Should you have any questions, please contact me at (202) 927-5789, or a member\n             of your staff may contact Mark S. Levitt, Manager, Financial Audits at\n             (202) 927-5076.\n\n             Attachment\n\x0c          INDEPENDENT AUDITOR\xe2\x80\x99S MANAGEMENT LETTER\n\n\nTo the Inspector General\nU.S. Department of the Treasury\n\nWe have audited the financial statements of the U.S. Department of the Treasury, Office\nof Thrift Supervision (OTS) as of and for the year ended September 30, 2008. In\nplanning and performing our audit, we considered the OTS\xe2\x80\x99 internal control over\nfinancial reporting as a basis for designing our auditing procedures, obtained an\nunderstanding of the design effectiveness of internal controls, determined whether the\ninternal controls have been placed in operation, assessed control risk, and performed tests\nof the OTS\xe2\x80\x99 internal controls for the purpose of expressing our opinion on the financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of the\nOTS\xe2\x80\x99 internal control over financial reporting.\n\nWe noted certain matters involving internal control that are presented in the attachment to\nthis letter for your consideration. We believe these matters warrant management\xe2\x80\x99s\nattention. These comments and recommendations, all of which have been discussed with\nthe appropriate members of management, are intended to improve the OTS\xe2\x80\x99 internal\ncontrols or result in other operating efficiencies.\n\nThis report is intended solely for the information and use of the Inspector General of the\nU.S. Department of the Treasury, the management of the OTS, the OMB, the\nGovernment Accountability Office and Congress and is not intended to be and should not\nbe used by anyone other than these specified parties.\n\n\n\n\nOctober 31, 2008\nAlexandria, VA\n\x0c                             Office of Thrift Supervision\n                          FY 2008 Financial Statement Audit\n                         Comment and Recommendations - #1\n\n\n                Oversight of Bureau of the Public Debt Administrative\n                        Resource Center Accounting Services\n\nCONDITION\nOTS management did not provide adequate oversight and monitoring of accounting\nestimates prepared by OTS personnel and accounting services provided by the Bureau of\nthe Public Debt (BPD), Administrative Resource Center (ARC). ARC provides\naccounting services to OTS. During our interim and year-end testing, we noted the\nfollowing weaknesses in OTS management\xe2\x80\x99s oversight and monitoring of accruals\nprepared by OTS personnel and ARC accounting services:\n\n   \xe2\x80\xa2   Reconciliations of OTS cash accounts performed by ARC lacked evidence of\n       review and approval by OTS Financial Operations staff.\n   \xe2\x80\xa2   OTS transitioned to a new payroll process in August 2008, transferring the payroll\n       processing from an internal payroll system to the National Finance Center\xe2\x80\x99s\n       payroll system. Based on our year-end audit fieldwork, we noted that OTS is not\n       provided with payroll reconciliations from ARC to ensure that payroll data is\n       being recorded accurately.\n   \xe2\x80\xa2   Lack of OTS management review of accounts payable accruals prior to\n       submission to ARC for processing.\n   \xe2\x80\xa2   Inconsistent methodology in the estimation of the year-end accruals. In some\n       instances accruals were estimated based on the outstanding balance of the\n       executed contracts, and in other instances accruals were estimated based on the\n       OTS staff knowledge of the contract progress.\n\nCAUSE\nOTS places significant reliance on ARC to accurately perform accounting services and\ndoes not provide the appropriate level of oversight and monitoring of ARC activities\nrelated to OTS transactions. In addition, OTS does not have a written procedure for\nestimating accruals.\n\nCRITERIA\nStandards for Internal Control in the Federal Government issued by the Government\nAccountability Office state that control activities occur at all levels and functions of the\nentity. They include a wide range of diverse activities such as approvals, authorizations,\nverifications, reconciliations, performance reviews, maintenance of security, and the\ncreation and maintenance of related records which provide evidence of execution of these\nactivities as well as appropriate documentation.\n\nStatement of Federal Financial Accounting Standards No. 1, Accounting for Selected\nAssets and Liabilities requires that when an entity accepts title to goods, whether the\ngoods are delivered or in transit, the entity should recognize a liability for the unpaid\n\n\n                                                                                          2\n\x0c                            Office of Thrift Supervision\n                         FY 2008 Financial Statement Audit\n                        Comment and Recommendations - #1\n\namount of the goods. If invoices for those goods are not available when financial\nstatements are prepared, the amounts owed should be estimated.\n\nOffice of Management & Budget (OMB) Circular A-123, Management\xe2\x80\x99s Responsibility\nfor Internal Control requires that monitoring the effectiveness of internal control should\noccur in the normal course of business. In addition, periodic reviews, reconciliations or\ncomparisons of data should be included as part of the regular assigned duties of\npersonnel. Periodic assessments should be integrated as part of management\xe2\x80\x99s continuous\nmonitoring of internal control, which should be ingrained in the agency\xe2\x80\x99s operations.\n\nEFFECT\nOTS financial statements are susceptible to misstatements.\n\nRECOMMENDATION\nWe recommend OTS management, (1) review and strengthen its policies and procedures\nto ensure proper oversight and monitoring of ARC, and (2) develop and implement\nwritten procedures for estimating year-end accruals.\n\nMANAGEMENT RESPONSE\nOTS management concurs with the findings and recommendations.\n\n\n\n\n                                                                                        3\n\x0c                            Office of Thrift Supervision\n                         FY 2008 Financial Statement Audit\n                         Comment and Recommendation - #2\n\n\n                       Monitoring of Mileage Reimbursement\n\nCONDITION\nWe noted that expense reports for mileage reimbursements submitted for travel by\nprivately owned vehicles by OTS staff and consultants are not reviewed to ensure that the\nmileage claims are accurate and valid to adequately support the expenses.\n\nCAUSE\nOTS supervisors are not required to verify the mileage as part of the review of expense\nreports for travel.\n\nCRITERIA\nOTS travel policies and procedures require that travel reimbursements are subject to\nsupervisory review and approval.\n\nEFFECT\nWithout proper support of mileage expenses, OTS is susceptible to fraud, waste and/or\nabuse. In fiscal year 2008, OTS reported approximately $2 million for travel mileage\nexpense.\n\nRECOMMENDATION\nWe recommend that OTS revise its travel policies and procedures to require the\nverification of the mileage as part of the review and approval of the claim for\nreimbursement.\n\nMANAGEMENT RESPONSE\nOTS concurs with the finding and recommendation.\n\n\n\n\n                                                                                       4\n\x0c                             Office of Thrift Supervision\n                          FY 2008 Financial Statement Audit\n                         Comment and Recommendations - #3\n\n\n                      Access Controls Over Computer Resources\n\nCONDITION\nAccess controls limit or detect access to computer resources (data, programs, equipment,\nand facilities), thereby protecting these resources against unauthorized modification, loss,\nand disclosure. OTS access controls for the General Support System (GSS), National\nApplication Tracking System, Assessment Billing System and Furniture, Fixtures and\nEquipment System (Inventory Tracking System) need improvement. We noted the\nfollowing weaknesses in OTS access controls:\n\n   \xe2\x80\xa2   Access authorizations are not documented on standard forms and maintained on\n       file, approved by senior managers, and securely transferred to security managers.\n   \xe2\x80\xa2   Security managers do not review access authorizations and discuss questionable\n       authorizations with resource owners.\n   \xe2\x80\xa2   System owners do not periodically review access authorization listings to\n       determine whether they remain appropriate.\n   \xe2\x80\xa2   Inactive user accounts are not monitored and removed when not needed.\n   \xe2\x80\xa2   Controls are not adequate to ensure that prior to sharing data or programs with\n       other entities, agreements are documented regarding how those files are to be\n       protected.\n   \xe2\x80\xa2   Facilities housing sensitive and critical resources have not been identified.\n   \xe2\x80\xa2   All significant threats to the physical well being of sensitive and critical resources\n       have not been identified and related risks determined.\n   \xe2\x80\xa2   Access to sensitive areas is not limited to those individuals who routinely need\n       access through the use of guards, identification badges, or entry devices, such as\n       key cards.\n   \xe2\x80\xa2   Management does not regularly review the list of persons with physical access to\n       sensitive facilities.\n   \xe2\x80\xa2   Keys or other access devices are not used to enter the computer room and\n       tape/media library.\n   \xe2\x80\xa2   The entry codes for the computer room are not changed quarterly or when key\n       personnel leave.\n   \xe2\x80\xa2   Visitors to sensitive areas, such as the main computer room and tape/media\n       library, are not formally signed in and escorted.\n   \xe2\x80\xa2   Visitors, contractors, and maintenance personnel are not authenticated through the\n       use of preplanned appointments and identification checks.\n   \xe2\x80\xa2   Database management systems (DBMS) and data dictionary (DD) controls have\n       not been implemented to: restrict access to data files at the logical data view,\n       field, or field-value level; control access to the data dictionary using security\n       profiles and passwords; maintain audit trails that allow monitoring of changes to\n       the data dictionary; provide inquiry and update capabilities from application\n       program functions, interfacing DBMS or the data dictionary.\n   \xe2\x80\xa2   The use of DBMS utilities is not limited to administrators.\n                                                                                           5\n\x0c                            Office of Thrift Supervision\n                         FY 2008 Financial Statement Audit\n                        Comment and Recommendations - #3\n\n   \xe2\x80\xa2   Access and changes to DBMS software are not controlled.\n   \xe2\x80\xa2   Access to security profiles in the data dictionary and security tables in the DBMS\n       is not limited.\n\nCAUSE\nOTS does not document logical access control policies and procedures for the significant\nfinancial applications. OTS does not document physical access control policies and\nprocedures for the data centers that support the significant financial applications.\n\nCRITERIA\nNIST Special Publication 800-53 (Revision 2), Recommended Security Controls for\nFederal Information Systems\n\nACCESS CONTROL POLICY AND PROCEDURES:\nThe organization develops, disseminates, and periodically reviews/updates: (i) a formal,\ndocumented, access control policy that addresses purpose, scope, roles, responsibilities,\nmanagement commitment, coordination among organizational entities, and compliance;\nand (ii) formal, documented procedures to facilitate the implementation of the access\ncontrol policy and associated access controls.\n\nEFFECT\nBy not maintaining sufficient logical and physical access controls, the OTS exposed the\nGeneral Support System (GSS), National Application Tracking System, Assessment\nBilling System and Furniture, Fixtures and Equipment System (Inventory Tracking\nSystem) to the risk that unauthorized individuals could gain access to sensitive\ninformation. Additionally, OTS\xe2\x80\x99 ability to protect sensitive data or equipment from theft\nor inadvertent disclosure would be compromised if an unauthorized person entered a\nrestricted facility containing sensitive OTS equipment and data.\n\nRECOMMENDATION\nWe recommend OTS review and strengthen its physical and logical access control\npolicies and procedures to ensure only authorized individuals have access to sensitive\ninformation.\n\nMANAGEMENT RESPONSE\nOTS management concurs with the findings and recommendation.\n\n\n\n\n                                                                                       6\n\x0c'